Anton Bobrov wrote, On 2009-01-15 16:52: > Nelson Bolyard wrote: >> LDAP gurus: >> >> Does LDAP have an equivalent of IMAP/POP/SMTP's StartTLS feature, >> whereby a connection on a "normal" (non-SSL) port negotiates that it >> will begin to use SSL/TLS, and then does begin to use it, on that same >> connection, without opening a new connection on a new port? > > yes, here is related public api that we have implemented > http://mxr.mozilla.org/mozilla/source/directory/c-sdk/ldap/include/ldap_ssl.h#75
Thanks, Anton, It's good to know what Mozilla's c-sdk API implements it. But I'm looking for protocol info, not API info. >> If so, in what RFC or other document is it defined, and by what name is >> it known? > > RFC 2830 Lightweight Directory Access Protocol (v3): Extension for > Transport Layer Security I found RFC 4511 section 4.14.1 and 4.14.2 which say: A client requests TLS establishment by transmitting a StartTLS request message to the server. The StartTLS request is defined in terms of an ExtendedRequest. The requestName is "1.3.6.1.4.1.1466.20037", and the requestValue field is always absent. When a StartTLS request is received, servers supporting the operation MUST return a StartTLS response message to the requestor. The responseName is "1.3.6.1.4.1.1466.20037" when provided (see Section 4.12). The responseValue is always absent. It wasn't apparent to me, initially, that OIDs are used as requests and responses. I guess I don't know enough about LDAP to understand those statements fully. _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
